Can a virus corrupt bios. Removing a banner using AntiSMS

Today it costs nothing to catch a virus on a computer. It is enough to go to a questionable site or open an unknown file - and you're done. Now there are a lot of them, but one of the most insidious viruses is the ransomware banner. First of all, because it almost completely blocks the work of the PC. Therefore, a second computer or laptop is usually indispensable here.

So, the initial data are as follows. I was approached with a request to help deal with the laptop. After restarting it, suddenly, when entering Windows, the system began to ask for a password. Although no one put it (yesterday everything was turned on without a password). The user tried all of their passwords, but of course they didn't fit.

Actually, this information did not tell me much - I thought I would have to bypass the password. It was useless to go through some combinations, so I did not enter anything and just pressed Enter. And then - voila, the system booted. Hooray, is the problem solved? Not at all - it was even better.

You are blocked, pay a fine!

After turning on the laptop, a huge banner appeared on the desktop on the whole screen. It said that the Windows system was blocked for watching "interesting movies" and all that.

To be honest, I sometimes understand my parents. When you read such a banner on your child's laptop and see the reason for the blockage, the thought immediately pops up in your head: "Oh, you are such and such a prankster." And the hands themselves reach for the belt. This is probably why children are afraid to report this and do completely unnecessary things - for example, pay a fine to an intruder.

So, from the banner it immediately becomes clear that this is a virus. Actually, you just need to find and delete it. But there is one problem: the banner blocks the system, and nothing can be done on the desktop.

Try it first. If the virus does not allow you to do this, then the only option remains - treatment with an antivirus utility from a USB flash drive launched through the BIOS.

Trying to remove the virus with an antivirus utility

So, to get rid of the virus, you need to burn any Live CD antivirus utility to a USB flash drive. It could be Dr. Web, Avast, Kaspersky - whatever.

Since the infected laptop is locked, then you will need another PC here. With its help, it will be possible to find this utility and write it to a USB flash drive. It's good that today almost every house has 2-3 computers / laptops 🙂

The flash drive must be bootable. Those. it must be recorded using a special program. For example, you can.

If you do everything correctly, the antivirus utility will start instead of Windows. Then you just need to run a virus scan and wait for it to complete.

In my case, the check took more than an hour. Or more. Then I got tired of waiting. And the sad look of a person worried about his laptop and the data on it suggested that something needed to be changed. In the end, I canceled this ill-fated check and decided to look for another way.

Removing a banner using AntiSMS

There is one excellent AntiSMS utility. Perfect for inexperienced users who are faced with a similar problem for the first time.

Its plus is that it does not scan the entire system for viruses, but immediately removes this annoying banner. You can get rid of it manually, but for this you need to know how. AntiSMS utility performs all these actions automatically. As a result, the ransomware banner is removed in just 10 minutes.

Again: you need to write the utility to a bootable USB flash drive, boot through the BIOS and run it. Then wait a couple of minutes until you see a message that the virus was successfully removed. Restart your PC or laptop - it should turn on and the banner will be gone. Actually, in my case, the problem was solved just with the help of AntiSMS.

The utility is free and can be found on the official website. Plus, a new program from the same developers has already appeared - SmartFix.

This is how it turned out to unlock the computer from the virus. By the way, according to the user, this infection was most likely picked up on the abstracts website. Advertising banners came out: when you tried to close them, the system froze, then a reboot followed - and voila, when you log into Windows, it already asks for a password. And then, as it turned out, a virus was waiting for us with a formidable message to pay a fine for unlocking the PC.

Of course, no one needs to pay - the banner will not disappear from this. The only benefit will be only for an attacker: he will understand that this method of "making money" works and will continue to spread his viruses on all kinds of sites.

In early September, the experts of Doctor Web's virus laboratory got a notable copy of the malicious program dubbed Trojan.Bioskit.1... In general, it is a standard Trojan in functionality that infects the MBR (bootable area of a disk) and tries to download something from the network. After the research carried out by Doctor Web specialists, it turned out that it also contains mechanisms that allow infecting the BIOS of a computer's motherboard.

The more details of this malicious program's operation were revealed during the research process, the more we became convinced that it was more of an experimental development than a full-fledged malicious program, or it "leaked" earlier than the author would like. This, in particular, may be evidenced by the following facts:

Checking command line parameters (launching this instance of the Trojan with the key -u heals the system);
using third-party utilities;
disabled virus deactivation code after 50 days;
the presence of two different variants of infecting system files (of which only one is used);
errors in the code that look like misspellings.

But all these circumstances in no way diminish the potential danger of this Trojan. Let's make a reservation right away that only motherboards equipped with Award BIOS can be infected.

Infection

Originally a dropper of the Trojan Trojan.Bioskit.1 checks whether the processes of several Chinese antiviruses are running in the operating system: if any are detected, the Trojan creates a transparent dialog box from which its main function is called. Then Trojan.Bioskit.1 determines the version of the operating system and, if it is Windows 2000 or higher (except for Windows Vista), continues the infection. The Trojan checks the status of the command line, from which it can be launched with various switches:

-d- this key does not work (this function was probably removed in the "release build");
-w- infect the system (used by default);
-u- cure the system (including MBR and BIOS).

Several files are packed in the resources of the dropper:

cbrom.exe
hook.rom
my.sys
flash.dll
bios.sys

In the course of its work, the dropper unpacks and saves the driver on the hard disk % windir% \ system32 \ drivers \ bios.sys... If the system has a device \\. \ MyDeviceDriver(the investigated dropper does not have a driver that implements such a device), the Trojan dumps the library to disk % windir% \ flash.dll and, most likely, consistently tries to implement it into system processes services.exe, svchost.exe and explorer.exe... The purpose of this library is to launch the driver bios.sys regular means ( service control manager) to create a service bios... When the library is unloaded, this service is removed. If the \\. \ MyDeviceDriver device is missing, the Trojan is installed on the system by overwriting the beep.sys system driver. Once started, beep.sys is restored from a previously created copy. The only exception to this rule is made for Microsoft Windows 7: in this system, the dropper flushes the library to disk % windir% \ flash.dll and loads it himself.

Then the dropper saves the rootkit driver to the root of the C: drive my.sys... If the driver bios.sys failed to start or BIOS computer is different from Award, the Trojan proceeds to infect MBR... A file is flushed to disk % temp% \ hook.rom, which is a full-fledged expansion module ( PCI Expansion ROM). But at this stage, it is only used as a container from which data is extracted for subsequent writing to disk. After that, the first 14 sectors of the hard disk are overwritten, including MBR... Original MBR remains in the eighth sector.

My.sys driver

By today's standards, this is a rather primitive driver: it intercepts from the system driver disk.sys handlers IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_DEVICE_CONTROL, wherein:

IRP_MJ_READ returns zeros instead of the first 63 sectors of the hard drive;
IRP_MJ_WRITE does not allow writing to the first 63 sectors. At the same time, the virus tries to allow its dropper to overwrite the MBR and other sectors, but due to an obvious error in the code, the trick does not work. Thus, the author of the Trojan allows overwriting 0x14(20) sectors, and the dropper writes only 0xE (14);
IRP_MJ_DEVICE_CONTROL returns STATUS_UNSUCCESSFUL in response to requests IOCTL_DISK_GET_DRIVE_LAYOUT_EX, IOCTL_STORAGE_GET_MEDIA_TYPES_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX.

BIOS infection

But back to the case when the driver bios.sys manage to identify Award BIOS... It must be said that it is the presence of this driver that distinguishes this malicious program from the large list of similar Trojans that infect MBR.

The mentioned driver is very small and has a frightening destructive potential. It implements three methods:

Identify Award BIOS(along the way, determine the size of his image and, most importantly, I / O port through which you can programmatically force to generate SMI (System Management Interrupt) and thus execute the code in the mode SMM);
Save image BIOS to disk to file C: \ bios.bin;
Burn image BIOS from file C: \ bios.bin.

Get access and even more so overwrite the microcircuit with BIOS- the task is not trivial. To do this, you first need to organize interaction with the motherboard chipset to allow access to the chip, then you need to identify the chip itself and apply the data erasing / writing protocol familiar to it. But the author of this malicious program took an easier path, shifting all these tasks onto himself. BIOS... He took advantage of the work of a Chinese researcher known by the nickname Icelord... The work was done back in 2007: then, when analyzing the utility Winflash for Award BIOS a simple way of flashing the microcircuit was discovered through a service provided by itself BIOS v SMM (System Management Mode). Program code SMM v SMRAM not visible to the operating system (if BIOS is correctly written, then access to this memory is blocked by it) and is executed independently of it. The purpose of this code is very diverse: it is emulation of motherboard capabilities that are not implemented in hardware, handling hardware errors, managing power modes, service functions, etc.

To modify the image itself BIOS this malicious program uses the utility cbrom.exe(from Phoenix Technologies), which, like all other files, carries in its resources. Using this utility, the Trojan injects its hook.rom module into the image as ISA BIOS ROM... Then Trojan.Bioskit.1 instructs his driver to reflash BIOS from the updated file.

The next time the computer restarts during the initialization process BIOS will call all available PCI Expansion ROM including hook.rom... Malicious code from this module checks for infection every time MBR and reloads it if necessary. It should be noted that the presence in the system Award BIOS does not guarantee infection with this Trojan at all. So, of the three motherboards tested in the virus laboratory, only one managed to infect, and in the other two, there was simply not enough space in the BIOS memory to write a new module.

MBR infection

The Trojan places code in the MBR, the main task of which is to infect files winlogon.exe(on Windows 2000 and Windows XP operating systems) or wininit.exe(Windows 7). To solve this problem Trojan.Bioskit.1 has its own parser NTFS / FAT32... The Trojan maintains a launch counter that is updated once a day. After 50 days, the infected module is expected to be deactivated: it will be modified in such a way that the virus code will no longer gain control. But in this version of the Trojan, this mechanism is disabled. Total Trojan.Bioskit.1 includes two shellcode versions, of which only one is currently active.

Conclusion

It is difficult to underestimate the danger of this kind of threat, especially considering that in the future, more advanced modifications of this Trojan program or viruses operating according to a similar algorithm may appear. Currently, detection and treatment of MBR, system files and virus file components has been added to the Dr.Web anti-virus software. If, after detecting and treating this threat, the system becomes infected again Trojan.Bioskit.1, the source of infection is most likely an infected computer BIOS. Doctor Web specialists continue to work on the problem.

Testing - How to call from a computer to a mobile phone for free

How do I restore the language bar?

How to reset a Packard Bell laptop to factory settings Instructions for resetting a laptop to factory settings

Ontrack EasyRecovery Professional overview Recover deleted files with easyrecovery professional